Does Your Business Have a Security Plan?

You probably won't find many small businesses who have a head of security, but that does not mean they shouldn't have a plan to prevent loss of property or even life in the event of a burglary or other event.

The most important asset are the lives and safety of all staff, experts agreed, but there are other things that need to be protected, including the physical assets and infrastructure of the business itself as well as stock and finished goods. This usually requires a business alarm system. Any security strategy needs to include protection for both the critical infrastructure, such as telecommunications and technology, as well as the intellectual property, including documents related to research and development.

"A small company faces both internal and external security risks," said Niall Kelly, the CIO of Netwatch USA, a remote-visual-monitoring company. "Most importantly, however, it is essential that companies provide a risk-free and safe working environment for their employees."

The best way to address security risks is to carry out a full company risk assessment analysis to identify the key areas of concern and determine the necessary procedures to take to secure all of the company's assets, experts said.

"From an exposure point of view, the largest risks are being negligent in providing adequate protection to a company's people," said Mike Gauer, vice president of business development for Datawatch Systems, a managed security solutions provider for commercial office buildings. "'Adequate' is the operative word. What is 'adequate' in Toledo, Ohio, may be grossly inadequate in New York City. Accordingly, the goal is to strike the correct balance relative to the risks in a given demographic."

How should a small business owner go about developing a security plan?

"A security plan is essential because it ensures the resulting security system is protecting the right vulnerabilities," said David Gottlieb, director of marketing communications for Honeywell Security Group, a security equipment provider. "Generally speaking, a small business should first conduct an audit to determine those vulnerabilities. Once those vulnerabilities are identified, the right type of security system can be designed and installed."

Gottlieb said that questions to ask could include:

Is the immediate neighborhood free of crime generators, including late-night social or retail establishments, etc.?

Are visitor entry points clearly identified?

Is the property designed in such a manner that visitors have to check in at an administrative office or desk before they can access other parts of the building?

Are exterior doors not used as designated entry points locked to prevent entry from the exterior?

Are all exterior windows easily locked?

The security plan needs to outline how the company's sensitive data will be protected. "The No. 1 threat is not the bad guy or teenager hacking into your computer system, it is the physical loss of the machines where all of the data is stored," said Matt Pahnke, senior manager of product marketing for the commercial business unit of NETGEAR, a networking and data-storage provider. He said there should be a clear plan for backing up data offsite, be it on a redundant drive or in the cloud.

Security plans should be flexible enough to cover internal as well as external thefts, experts said. "Do you have a code of conduct and/or employee manual that states how thefts will be handled?" said Annie Searle, principal, Annie Searle & Associates, a risk consulting firm. "Do you spend time explaining to employees what belongs to the company — i.e., intellectual property — and what is available for the benefit of the employee?"

Gauer added that many businesses of all sizes often neglect to outline the precautions to be taken by employees walking to their car if leaving work late at night.

Another area that doesn't get a lot of attention is the disposal of computers and other devices. "Once these devices have outlived their usefulness, they are often thought of as fair game for employees," said Kyle Marks, the founder of Retire-IT, a company that manages the retirement, recycling and remarketing of unwanted computer equipment.

He suggested a reverse procurement process. "You wouldn't accept a shipment of 99 computers when you were supposed to get 100," he said. "You should have the same accounting for your computers as they go out the door, and make sure they are wiped clean of all sensitive information."

Experts said business owners have to use technology to streamline the security checkpoints, especially when it comes to inventory management. "Any security plan has to include information on how you are managing and security your inventory, which can be greatly helped with the use of technology, but sometimes small business owners might want to take shortcuts or rely solely on paper records," said Elijah Shaw, CEO of Icon Services Corp. "There are so many things that might be in any inventory that would have value on the black market."

Small business owners can't just develop the plan and store it away, said security experts. "Preparing for something like a robbery is essential because you want to practice your reaction," Shaw said. "It is like a scary movie. Once you've seen it three or four times, it is no longer quite as scary."